Microsoft Windows has been at the forefront of enterprise computing for several decades. What most office workers see is the desktop side – such as Windows 7, 8 or 10. This course explores what it takes to design and build the server side of Windows in an enterprise environment. This course will explore everything from Windows Server installation to configuring users, to hardening the server operating system itself.
This course is the second course in the System Management and Security Specialization focusing on enterprise system management. The first week of this course provides an overview of how Windows operates in an enterprise environment and what it may look like in the real world. Week 2 of the course will show you how Windows users interact with the system. At the end of Week 2, you will be able to demonstrate how Windows authentication works at the end of Week 2. Week 3 will explore authorization in a Windows environment. At the end of Week 3, you will be able to differentiate between different authorization mechanisms and use different technologies to secure data within the environment. Week 4 explores built in security features of Windows and demonstrates how to use each technology effectively and in what circumstances you would use what technology for what purpose. At the end of week 4, you will be able to determine which technology is the best technology to use to secure certain portions of the Windows operating system.

Taught By

Greg Williams

Lecturer

Transcript

In this lesson, I'll discuss managing enterprise users. Now in the last few lessons, we've talked about the tools necessary to start managing users but we really haven't discussed why, in much detail, why we want to manage users. In this video, I hope to show you why we want to do that. Managing users is much easier from an enterprise perspective if we use the tools that are built into the domain. If we allow ACLs enroll based access control to go unchecked, we're going to have a security disaster at one point or another. Let's go into Active Directory Users and Computers. I've added a few different accounts: Curly, Larry and Moe. Let's add these users to a group. In order to do this we'll go up to our right click, go up to New and go to Group. Group name we'll call Stooges. The global group scope in the group type of security are defaults in that way. That's what we want to select. Press OK and now we have our Stooges group. Let's add the three users: Curly; Larry; and Moe. All separated with a semi colon. Press Check Names so they auto populate and press OK. Now they're there and we can press OK. Let's look at some information on our hard drive. Let's say these two folders were shared out, Secured Documents and Poorly Secured Documents. Let's add our security group to them. So in order to do this, I'm going to right click on the folder, click Properties and go to Security. Going to press Edit and Add. Then add the Stooges group and press OK. By default, they get Read & Execute, List Folder Contents, and Read. Now press Apply and OK. Let's do the same thing to Poorly Secured Documents, going to Edit, Add, and I'm going to, this time, add Curly plus Stooges. So now I have two new accounts there. Both of them have Read & Execute, List Folder Contents, and Read permissions. Now press OK. Now here's what happens in an enterprise. Let's say that Curly leaves, and I go back to my Active Directory Users and Computers, I go into members, and let's remove Curly. "Do I want to move the selected members from the group?" Yes. Press OK. Curly no longer has access to the folders underneath the Stooges security group. However, if I go back into Poorly Secured Documents, and I go to Properties, and Security, notice that Curly is still there because I added him separately. If we manage enterprise users with Groups in mind and with role-based access control in mind, we not only can remove access easier but we can also add access easier. Imagine if this folder, the Poorly Secured folder or Secured Documents folder, were multiplied by hundreds or thousands maybe there's financial data for years of a company that a new employee needed access to. What if we had to add individual users, the Curly user here to every single folder, that would be a lot of work. However, if we just add them to the Stooges group, then one click and one add into the Stooges group, and now we've given the user access to all the financial data that they need. So it's not only a benefit when users come on board but it's also a benefit when they leave. If we remove them or we remove their group access from the groups that they're a part of, we can now manage the users much much easier. Additionally, if we add users into certain groups, then we can apply different permissions on them with group policy. Again, let's say that users need printer permissions, for example, or they need their firewall changed, for example. We can add them to a group that allows them access into whatever that they need instead of adding individual users. This is done again through Active Directory. In here we can add organizational units that allow us to manage users differently. This means that we can apply different policies on those users instead of individually or with role-based access. In order to do this, we would right click on the domain, go to New, and go to Organizational Unit. This is a way that we separate users and apply different policies or group policies to a set of users so that they are treated differently than the whole group. So in conclusion, using the tools that we have inside of our domain allow us to streamline the on-boarding process and streamline off-boarding as well.

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.